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1.  Summary 


In  order  to  make  computing  on  encrypted  data  be  both  practical  to  use  and  secure 
from  attack,  it  is  necessary  to  discover,  develop,  and  understand  the  mathematics  on 
which  it  is  based.  Discovering  and  developing  the  mathematical  foundations  of  fully 
homomorphic  and  somewhat  homomorphic  encryption  schemes  allows  computing  on 
encrypted  data  to  be  performed  with  confidence,  knowing  that  its  cryptographic 
security  is  based  on  sound  mathematical  foundations. 

Hendrik  Lenstra  and  Alice  Silverberg  discovered  and  developed  some  of  the  mathe¬ 
matical  foundations  of  some  homomorphic  encryption  schemes,  and  propose  a  variant 
that  has  some  advantages  over  earlier  systems  in  terms  of  efficiency.  In  this  variant, 
the  secret  key  of  the  encryption  scheme  is  a  lattice  basis  that  is  nearly  orthogonal 
with  respect  to  a  certain  measure.  This  makes  decryption  very  efficient.  The  crypto¬ 
graphic  security  of  the  scheme  comes  from  ensuring  sufficient  entropy  when  choosing 
the  basis. 

A  primary  method  of  attack  on  homomorphic  encryption  schemes  consists  of  lattice 
algorithms  performed  on  ideal  lattices.  The  work  performed  here  uses  lattices  that 
have  some  symmetry.  Recommendations  are  that  the  mathematical  foundations  of 
lattices  with  symmetry  be  discovered  and  developed,  in  order  to  help  quantify  the 
security  of  homomorphic  encryption  schemes. 


This  material  is  based  on  research  sponsored  by  DARPA  under  agreement  number 
FA8750-11-1-0248.  The  U.S.  Government  is  authorized  to  reproduce  and  distribute 
reprints  for  Governmental  purposes  notwithstanding  any  copyright  notation  thereon. 
The  views  and  conclusions  contained  herein  are  those  of  the  author  and  should  not 
be  interpreted  as  necessarily  representing  the  official  policies  or  endorsements,  either 
expressed  or  implied,  of  DARPA  or  the  U.S.  Government. 
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2.  Introduction 


Fully  Homomorphic  Encryption  (FHE)  has  been  referred  to  as  a  “holy  grail”  of 
cryptography.  Craig  Gentry’s  recent  solution  to  the  problem,  while  not  efficient 
enough  to  be  practical,  was  considered  to  be  a  major  breakthrough.  Since  then, 
much  progress  has  been  made  in  the  direction  of  finding  efficient  Fully  Homomorphic 
Encryption  schemes. 

In  encryption  schemes,  Bob  encrypts  a  plaintext  message  to  obtain  a  ciphertext. 
Alice  decrypts  the  ciphertext  to  recover  the  plaintext.  In  Fully  Homomorphic  En¬ 
cryption,  parties  that  do  not  know  the  plaintext  data  can  perform  computations  on 
it  by  performing  computations  on  the  corresponding  ciphertexts. 

A  major  application  of  FHE  is  to  cloud  computing.  Alice  can  store  her  data  in 
“the  cloud”,  e.g.,  on  remote  servers  that  she  accesses  via  the  Internet.  The  cloud  has 
more  storage  capabilities  and  computing  power  than  does  Alice,  so  when  Alice  needs 
computations  to  be  done  on  her  data,  she  would  like  those  computations  to  be  done  by 
the  cloud.  However,  Alice  does  not  trust  the  cloud.  Her  data  might  be  sensitive  (for 
example,  Alice  might  be  a  hospital  and  the  data  might  be  patients’  medical  records), 
and  Alice  would  like  the  cloud  to  know  as  little  as  possible  about  her  data,  and  about 
the  results  of  the  computations.  So  Alice  sends  encrypted  data  to  the  cloud,  which 
can  perform  arithmetic  operations  on  it  without  learning  anything  about  the  original 
raw  data,  by  performing  operations  on  the  encrypted  data. 

Fully  Homomorphic  Encryption  can  be  used  to  query  a  search  engine,  without 
revealing  what  is  being  searched  for  (here,  the  search  engine  is  doing  the  computations 
on  encryptions  of  information  that  it  doesn’t  know). 

More  precisely,  FHE  has  the  following  property.  Say  that  ciphertexts  ct  decrypt  to 
plaintexts  miy  i.e.,  Decrypt(cj)  =  m* ,  where  the  m,’s  and  c/s  are  elements  of  some 
ring  (with  two  operations,  addition  and  multiplication).  In  FHE  one  has 

Decrypt(ci  +  C2)  =  rn  1  +  m2,  Decrypt(ci  •  C2)  =  mi  ■  m2- 

In  other  words,  decryption  is  doubly  homomorphic,  i.e.,  homomorphic  with  respect 
to  the  two  operations  addition  and  multiplication. 

Being  fully  homomorphic  means  that  whenever  /  is  a  function  composed  of  (finitely 
many)  additions  and  multiplications  in  the  ring,  then 

Decrypt (/(ci, . . . ,  ct))  =  /(mi, . . . ,  mt). 

If  the  cloud  (or  an  adversary)  can  efficiently  compute  f(c\,  ...,ct)  from  ciphertexts 
Ci, . . .  ,q,  without  learning  any  information  about  the  corresponding  plaintexts  mi, 
. . . ,  mt ,  then  the  system  is  efficient  and  secure. 

Another  requirement  for  FHE  is  that  the  ciphertext  sizes  remain  bounded,  inde¬ 
pendent  of  the  function  /;  this  is  known  as  the  “compact  ciphertexts”  requirement. 

Fully  Homomorphic  Encryption  schemes  can  be  either  public  key  (where  the  en- 
cryptor  knows  the  decryptor’s  public  key  but  not  her  private  key)  or  symmetric  key 
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(where  the  encryptor  and  decryptor  share  a  key  that  is  used  for  both  encryption  and 
decryption). 

H.  W.  Lenstra  and  A.  Silverberg  propose  a  variant  of  some  somewhat  homomorphic 
encryption  schemes  that  were  proposed  earlier  by  others.  In  this  variant,  the  secret 
key  is  a  lattice  basis  that  is  nearly  orthogonal  with  respect  to  Gauss’s  general  measure. 
This  makes  decryption  very  efficient.  Cryptographic  security  comes  from  ensuring 
sufficient  entropy  when  choosing  the  basis. 

To  fix  ideas,  we  use  the  somewhat  homomorphic  encryption  schemes  of  Smart- 
Vercauteren  and  Gentry-Halevi  as  our  jumping  off  point.  However,  the  ideas  proposed 
here,  and  the  discussion  concerning  their  security  and  efficiency,  should  be  useful  in 
studying  or  implementing  other  cryptographic  schemes. 

Decryption  in  lattice-based  encryption  schemes  relies  on  the  secret  lattice  basis 
being  better  (i.e.,  more  orthogonal)  than  a  basis  obtained  via  the  Lenstra-Lenstra- 
Lovasz  (LLL)  lattice  basis  reduction  algorithm.  The  lattice  bases  proposed  here  are 
sufficiently  orthogonal  to  give  encryption  schemes  that  are  more  efficient  than  with 
previously  proposed  bases,  while  maintaining  cryptographic  security. 

In  Section  3  we  give  the  necessary  background.  The  results  and  discussion  are 
in  Section  4,  and  constitute  work  performed  jointly  by  Hendrik  Lenstra  and  Alice 
Silverberg.  Section  4.1  includes  results  and  discussion  concerning  decryption.  In  Sec¬ 
tion  4.2  we  discuss  the  security  of  a  variant  that  has  been  proposed  by  Vercauteren 
and  Gentry.  In  Section  4.3  we  give  some  relevant  algebraic  number  theory  results, 
and  give  a  natural  inner  product  with  respect  to  which  the  bases  we  construct  will  be 
nearly  orthogonal.  In  Section  4.4  we  present  a  first  step  in  the  direction  of  producing 
suitable  nearly  orthogonal  bases,  and  in  Section  4.5  we  discuss  the  security  of  associ¬ 
ated  encryption  schemes.  In  Section  4.6  we  give  the  full  variant  proposed  by  Lenstra 
and  Silverberg.  In  Section  4.7  we  give  results  that  justify  why  decryption  works.  A 
discussion  of  the  cryptographic  security  is  in  Section  4.8. 

The  results  are  joint  work  with  Hendrik  Lenstra.  Thanks  go  to  Zvika  Brakerski, 
Craig  Gentry,  Lily  Khadjavi,  Hendrik  Lenstra,  Chris  Peikert,  and  Nigel  Smart  for 
helpful  discussions  and  comments. 
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3.  Methods,  Assumptions,  and  Procedures 

In  this  section  we  give  the  assumptions  and  background.  In  Section  3.1  we  give 
some  of  the  terminology,  history,  and  other  background.  In  Section  3.2  we  recall  a 
simple  illustrative  example.  In  Section  3.3  we  recall  an  encryption  scheme  for  which 
we  will  obtain  some  results  in  Section  4. 

As  usual,  Z,  Q,  R,  and  C  denote  the  integers,  rational  numbers,  real  numbers,  and 
complex  numbers,  respectively,  and  Fq  denotes  the  finite  held  with  q  elements. 

3.1.  Some  history  and  background. 

3.1.1.  Early  history.  In  1978,  shortly  after  the  invention  of  the  RSA  Cryptosystem, 
Rivest,  Adleman,  and  Dertouzos  [35]  came  up  with  the  idea  of  fully  homomorphic 
encryption,  which  they  called  “privacy  homomorphisms” .  Their  paper  states,  “al¬ 
though  there  are  some  truly  inherent  limitations  on  what  can  be  accomplished,  we 
shall  see  that  it  appears  likely  that  there  exist  encryption  functions  which  permit 
encrypted  data  to  be  operated  on  without  preliminary  decryption  of  the  operands, 
for  many  sets  of  interesting  operations.  These  special  encryption  functions  we  call 
‘privacy  homomorphisms’;  they  form  an  interesting  subset  of  arbitrary  encryption 
schemes”.  Despite  the  optimism  of  Rivest,  Adleman,  and  Dertouzos,  fully  homomor¬ 
phic  encryption  remained  out  of  reach  for  many  years. 

A  number  of  cryptosystems  are  homomorphic  with  respect  to  one  operation.  For 
example,  RSA  and  ElGamal  encryption  are  homomorphic  with  respect  to  multiplica¬ 
tion. 

We  recall  that  in  (basic)  RSA,  Alice’s  public  key  is  (N,  e )  and  private  key  is  d, 
where  N  is  a  product  of  two  large  primes  and  where  de  =  1  mod  <p(N).  If  m  G  7a/N7j 
is  the  plaintext,  then  the  ciphertext  is  c  =  me  mod  N .  To  decrypt,  Alice  computes 
cd  mod  N  =  m.  If  Bob  encrypts  messages  mi  and  m2  using  Alice’s  public  key  ( N ,  e), 
then  the  product  of  the  resulting  ciphertexts  is  the  ciphertext  of  the  product  of  the 
plaintexts  m\  and  m2,  i.e.,  (m\  mod  N)(m%  mod  N )  =  (m^)6  mod  N.  Thus, 
Decrypt  (ci  •  C2)  =  Decrypt  (ci)  •  Decrypt  (02),  where  ct  =  m\  mod  N  is  the  ciphertext 
corresponding  to  the  plaintext  rnl . 

For  ElGamal,  suppose  the  private  key  is  1  6  {1, . . .  ,n  —  1}  and  the  public  key  is 
h  =  gx  G  G,  where  G  is  a  cyclic  group  of  order  n  generated  by  g.  If  mi, m2  G  G  are 
plaintext  messages,  then  the  corresponding  ciphertexts  are  of  the  form  ct  =  ( a j,  6j)  = 
( gri,mihri )  G  G  x  G  for  i  =  1  and  2,  where  the  r\  are  chosen  by  the  encryptor(s)  at 
random  in  {1, . . . ,  n  —  1}.  Then 

Decrypt  (ci  •  c2)  =  Decrypt(aia2,  M2)  =  ((aia2)x)-1&i&2 

=  (a*)^1^!  •  (a]];)-1^  =  Decrypt(ci)  ■  Decrypt(c2). 

There  have  been  other  encryption  schemes  with  homomorphic  properties.  For 
example,  the  Goldwasser-Micali  cryptosystem  [21]  and  its  generalization  the  Paillier 
cryptosystem  [31]  are  homomorphic  with  respect  to  addition  of  plaintexts  in  the  sense 
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that 


Decrypt (ci  •  C2)  m2, 

but  are  not  homomorphic  with  respect  to  multiplication  of  plaintexts. 

In  [1],  Boneh,  Goh,  and  Nissim  gave  a  partially  homomorphic  encryption  scheme 
that  can  do  one  multiplication  and  any  number  of  additions. 

3.1.2.  Gentry’s  FHE  scheme  and  beyond.  Craig  Gentry  solved  the  problem  of  how  to 
do  Fully  Homomorphic  Encryption  in  his  Stanford  PhD  thesis  [12,  13,  14].  For  the 
first  time,  there  was  now  a  scheme  that  could  (inefficiently)  do  an  arbitrary  number 
of  additions  and  multiplications. 

Gentry’s  solution  used  ideal  lattices,  i.e.,  ideals  in  algebraic  number  fields.  Given 
that  one  requires  a  homomorphic  property  with  respect  to  two  operations,  it  is  natural 
that  rings  come  into  play.  In  [12]  and  [13],  the  rings  Gentry  used  were  of  the  form 

R  =  Z[x]/(xN  +  l)  and  Rd  =  (Z/dZ)[x\/ (xN  +  1) 

where  N  =  2n  (see  Section  3.3  below).  It  was  later  realized  that  one  can  use  the  rings 
Z  and  Z/dZ  to  construct  schemes  parallel  to  those  that  use  the  rings  R  and  Rd  (see 
Section  3.2  below). 

There  have  been  a  number  of  improvements,  implementations,  and  new  schemes. 
See  for  example  [36,  11,  15,  37,  16,  25,  17,  6,  5,  9,  28,  4,  18,  19,  10,  3],  The  NTRU 
encryption  scheme  [23],  which  was  developed  in  the  late  1990’s,  turned  out  to  be 
“somewhat  homomorphic”,  and  has  been  turned  into  an  FHE  scheme  [29]. 

3.1.3.  Security.  The  primary  known  attacks  on  FHE  schemes  are  variants  of  the  LLL 
lattice  basis  reduction  algorithm  [27].  The  security  of  almost  all  currently  known 
schemes  is  based  on  the  presumed  difficulty  of  some  lattice  problem,  such  as  finding 
an  approximately  shortest  (non- zero)  vector  in  a  high  dimensional  lattice. 

A  number  of  FHE  schemes  use  ideal  lattices  rather  than  arbitrary  lattices.  These 
are  very  special  lattices,  and  it  might  turn  out  to  be  the  case  that  lattice  attacks  are 
easier  for  ideal  lattices  than  for  generic  lattices.  This  is  an  open  question.  At  the 
moment,  special  attacks  that  work  better  for  ideal  lattices  than  for  general  lattices 
are  not  yet  known. 

3.1.4.  Somewhat  Homomorphic  Encryption  (SHE).  Somewhat  Homomorphic  Encryp¬ 
tion  (SHE)  schemes  are  encryption  schemes  that  have  some  homomorphic  properties 
but  are  not  fully  homomorphic.  With  Somewhat  Homomorphic  Encryption  one  can 
generally  do  a  limited  number  of  additions  and  multiplications,  but  each  time  one 
does  an  operation,  it  contributes  “noise”  to  the  ciphertext  (see  Section  3.2  for  an 
example).  Eventually  the  noise  is  so  great  that  it  is  not  possible  to  decrypt.  Also,  in 
SHE  schemes  the  ciphertexts  could  get  larger  (message  expansion),  i.e.,  the  compact 
ciphertexts  requirement  might  be  violated.  In  Gentry’s  initial  work  he  started  with 
an  SHE  scheme  and  then  “bootstrapped”  it  to  obtain  an  FHE  scheme. 
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3.1.5.  Bootstrapping.  Gentry’s  original  FHE  papers  and  thesis  introduced  the  idea  of 
bootstrapping.  One  “bootstraps”  to  go  from  a  (bootstrapable)  somewhat  homomor¬ 
phic  encryption  scheme  to  a  fully  homomorphic  encryption  scheme. 

To  make  an  SHE  scheme  fully  homomorphic,  one  can  include  as  part  of  the  public 
key  an  encryption  of  the  private  key.  When  a  ciphertext  gets  too  large  or  too  noisy, 
the  encryptor  can  then  use  the  somewhat  homomorphic  encryption  scheme  to  evaluate 
the  decryption  function  applied  to  the  ciphertext,  using  the  encrypted  private  key. 
This  re-encryption  process  produces  a  new  encryption  of  the  original  plaintext,  that 
is  more  compact  and  less  noisy.  For  this  to  work,  it  is  necessary  for  the  somewhat 
homomorphic  scheme  to  be  “circular  secure”  (i.e.,  it  must  be  able  to  securely  encrypt 
its  own  private  key)  and  capable  of  (homomorphically)  evaluating  the  function  /  = 
Decrypt  and  “a  little  more” .  Here,  we  view  the  argument  of  the  Decrypt  function  as 
being  the  secret  key,  rather  than  the  ciphertext,  and  we  view  the  ciphertext  as  fixed. 

Gentry  also  uses  what  he  calls  “squashing”  of  the  decryption  circuit  in  order  to 
simplify  decryption  enough  so  that  it  is  among  the  functions  that  the  somewhat 
homomorphic  scheme  can  homomorphically  evaluate  correctly.  Squashing  converts 
an  SHE  scheme  into  a  bootstrappablc  SHE  scheme.  In  [6],  Brakerski  and  Vaikun- 
tanathan  use  “dimension-modulus  reduction”  to  simplify  the  decryption  circuit  and 
avoid  squashing.  Another  way  to  remove  squashing  is  given  in  [17]. 

In  [4],  Brakerski,  Gentry,  and  Vaikuntanathan  use  “modulus  switching”  to  reduce 
noise  and  lessen  the  need  for  bootstrapping.  Modulus  switching  replaces  a  ciphertext 
mod  pi  with  a  ciphertext  modulo  a  smaller  modulus  P2  that  decrypts  to  the  same 
plaintext. 

See  [14]  for  a  nice  analogy  ( “Alice’s  jewelry  store” ,  with  jewelry  fabricated  in  nested 
secure  gloveboxes)  that  gives  the  idea  of  FHE  and  bootstrapping.  See  also  [22]  for  a 
good  explanation  of  FHE  for  a  general  audience.  See  Vaikuntanathan’s  survey  article 
[38]  for  a  good  description  of  modulus  switching  and  other  concepts  from  FHE. 

3.1.6.  Malleability.  We  remark  that  FHE  schemes  are  always  “malleable”.  In  cryp¬ 
tography,  malleability  means  that  a  ciphertext  can  be  perturbed  to  create  a  new 
ciphertext  that  decrypts  to  a  perturbation  (in  a  known  way)  of  the  original  plaintext. 
In  a  non-malleable  encryption  scheme,  perturbing  a  ciphertext  a  little  will  generally 
produce  an  invalid  ciphertext,  i.e.,  one  that  does  not  decrypt  to  a  valid  plaintext. 
Malleability  is  often  an  undesirable  property  in  cryptography.  For  example,  if  an 
auction  uses  encrypted  bids,  and  (an  adversary)  Mallory  sees  the  encryption  of  Bob’s 
bid,  one  wants  it  to  be  the  case  that  Mallory  cannot  construct  a  new  ciphertext  that 
decrypts  to  a  bid  that  is  one  more  than  Bob’s  bid,  i.e.,  one  wants  non-malleable 
encrypted  bids. 

There  has  been  some  work  on  obtaining  partial  or  “targeted”  non- malleability  along 
with  some  limited  homomorphic  ability;  see  for  example  [33,  2],  There  are  interesting 
open  questions  in  this  area. 
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3.2.  Somewhat  Homomorphic  Encryption  over  the  Integers.  We  begin  with 
a  warm-up  example  from  the  introduction  to  [11].  This  example  of  a  somewhat 
homomorphic  encryption  scheme  comes  in  two  flavors,  symmetric  key  and  public  key. 
To  keep  it  short,  we  will  be  very  imprecise  about  parameter  choices  and  other  details. 
For  more  information  see  [11]. 

We  first  give  the  symmetric  key  version.  The  shared  key  is  an  odd  positive  integer 
k.  The  message  is  a  bit  m  G  {0, 1}.  The  encryptor  chooses  random  integers  q  and  r 
in  a  certain  range,  and  so  that  |2r|  <  /c/2,  and  computes  the  ciphertext 

c  =  m  +  kq  +  2  r. 

To  decrypt,  the  decryptor  computes  (c  mod  k)  mod  2  —  m  where  a  mod  w  means 
that  one  takes  the  representative  of  a  mod  w  in  the  range  (—w/2,w/2]. 

If  c%  =  rrii  +  kqi  +  2rt  for  i  =  1,2,  then 

ci  +  c2  =  (mi  +  m2)  +  k(qi  +  q2)  +  2(r1  +  r2), 

Ci  ■  c2  —  mi  ■  m2  +  k(miq2  +  m2qi  +  kqiq2  +  2qir2  +  2 rxq2)  +  2(m1r2  +  rim2  +  4rir2). 
Thus  the  noise  grows,  and  after  one  does  too  many  multiplications  or  additions, 
the  decryption  function  no  longer  outputs  the  correct  plaintext.  The  ciphertexts 
also  blow  up  in  size.  This  Somewhat  Homomorphic  Encryption  scheme  is  not  fully 
homomorphic,  but  in  [11]  van  Dijk  et  al.  use  Gentry’s  bootstrapping  techniques  to 
turn  it  into  a  Fully  Homomorphic  Encryption  scheme. 

A  public  key  version,  as  in  §3.1  of  [11],  is  as  follows.  The  secret  key  is  again  an 
odd  positive  integer  k.  The  public  key  now  consists  of  the  integers  Xi  =  kqi  +  2 r* 
for  i  =  0, 1, . . .  ,t,  where  the  q{  and  rt  are  as  before,  so  each  Xi  can  be  viewed  as 
an  encryption  of  0  under  the  symmetric  key  scheme.  The  Xi  are  taken  so  that  xq  is 
the  largest,  x0  is  odd,  and  x0  mod  k  is  even,  where  again  x  mod  k  is  in  the  interval 
(~k/2,k/2\. 

To  encrypt  a  message  bit  m  G  {0, 1},  the  encryptor  chooses  a  random  subset  S  of 
{1, . . . ,  t}  and  a  random  integer  r  in  a  certain  range.  The  ciphertext  is 

c  =  m  +  2  Xi  +  2 r  mod  x0. 
ieS 

The  decryptor  computes  (c  mod  k )  mod  2  =  m. 

The  security  is  based  on  the  difficulty  of  the  Approximate  Common  Divisor  Prob¬ 
lem,  which  is  the  problem  of  finding  k,  given  a  collection  of  integers  of  the  form 
{kqi  +  ri}j=0  with  rt  “small”.  Approximate  Common  Divisor  Problems  were  intro¬ 
duced  in  [24]  and  have  been  studied  in  [7,  8]. 

3.3.  The  Gentry,  Smart- Vercauteren,  and  Gentry-Halevi  SHE  schemes.  We 

next  give  a  version  of  the  Somewhat  Homomorphic  Encryption  schemes  that  were  in¬ 
troduced  by  Gentry  in  [12,  13]  and  improved  on  by  Smart  and  Vercauteren  in  [36] 
and  by  Gentry  and  Halevi  in  [16]  (see  also  [28]).  In  these  schemes,  the  public  key 
corresponds  to  a  “bad”  (skewed)  basis  for  a  lattice,  while  the  private  key  is  a  “good” 
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(more  orthogonal)  basis  for  the  same  lattice.  The  (TV-dimensional)  lattices  are  ideals 
in  the  ring  of  integers  of  the  cyclotomic  field  of  27V-th  roots  of  unity.  The  plaintext 
is  encoded  as  a  (suitable)  point  in  the  ambient  space  RA .  Encryption  translates 
that  point  into  the  fundamental  parallelepiped  associated  to  the  bad  (public)  basis. 
Decryption  translates  the  ciphertext  point  into  the  fundamental  parallelepiped  asso¬ 
ciated  to  the  good  (private)  basis.  The  security  relies  partly  on  the  fact  that  it  is 
difficult  to  find  a  good,  nearly  orthogonal  basis  for  a  given  lattice. 

We  next  give  some  of  the  details  of  a  version  of  the  scheme.  Let 

F(i)  =  /  +  ie  z[x] 

with  N  =  2n.  Let  6  be  a  root  of  F(x );  then  6  is  a  primitive  27V-th  root  of  unity.  Let 

K  =  Q[i]/(F(i)>  S*  Q(0), 

a  CM- field  of  degree  N  over  Q.  (A  CM- field  is  a  totally  imaginary  quadratic  exten¬ 
sion  of  a  totally  real  number  field.  Examples  include  imaginary  quadratic  fields  and 
cyclotomic  fields.  The  K  defined  here  is  a  cyclotomic  field.)  Let 


N- 1 

v(x )  =  ^^ViX1  G  Z[x] 
i= o 


be  a  degree  N  —  1  polynomial  whose  coefficients  V{  are  random  t-bit  integers  for  a 
suitably  chosen  t,  and  consider  the  N  x  N  integral  matrix 


/  V0  v{  ■■■  VjV— A 

—VN-1  V0  ■  ■  ■  Vn-2 

\  -Vi  -v2  ■■■  V0  J 


(1) 


The  rows  of  V  are  the  coefficients  of  xlv{x)  mod  F(x)  for  i  =  0, . . .  ,N  —  1.  Let 
L  denote  the  lattice  in  ZN  generated  by  the  rows  of  V,  let  7  =  v(6)  G  K,  let 
NormK/Q  :  K  — *  Q  denote  the  norm  map,  and  let 


d  =  NormK/Q(v(6)))  =  resultant  (F,  v)  =  det(V)  =  det(L).  (2) 


Replace  the  random  polynomial  v(x)  if  necessary,  until  you  have  found  one  for  which 
d  is  odd  and  square-free.  (In  [36],  they  start  with  v(x)  =  1  mod  2Z[x\  to  ensure  that 
d  is  odd,  and  they  replace  v(x),  if  necessary,  until  they  hnd  one  for  which  d  is  prime. 
In  [16]  it  is  shown  that  it  is  not  necessary  for  d  to  be  prime;  it  suffices  to  have  d  odd 
and  square- free.) 

Whenever  A  is  a  matrix  whose  rows  {a1; . . . ,  ajy}  form  a  Z-basis  for  a  lattice  L  C 
Rv.  define 

N 

P(A)  =  {J]aiaJ:aiG[-0.5,0.5)}, 

i= 1 

a  (half-open)  parallelepiped.  This  is  the  “fundamental  parallelepiped”  associated  to 
A.  Every  element  of  R N / L  has  a  unique  representative  in  P(A). 
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All  reductions  mod  d  will  be  taken  in  the  range  [—d/2,  d/2).  Let  r  G  [—d/2,  d/2) 
denote  the  unique  common  root  of  F(x)  and  v(x)  mod  d.  Let  rt  =  rl  (mod  d)  and 
consider  the  N  x  N  integral  matrix 


/  d  0  0  •••  0\ 

— rq  1  0-"  0 

\~rN-i  0  0  •••  1  j 


(3) 


Since  d  is  odd  and  square-free,  it  follows  that  B  is  the  Hcrmite  Normal  Form  of  the 
matrix  V. 

The  public  key  now  consists  of  d  and  r  (or  equivalently  the  matrix  B),  and  the 
secret  key  is  v(x)  (or  the  matrix  V).  To  encrypt  a  bit  m  G  {0, 1},  choose  a  random 
noise  polynomial  u(x)  =  UiX%  with  each  coefficient  tq  G  {0,  ±1}  taking  values 

1  and  —1  with  equal  probability.  Let  a(x)  —  rri  +  2 u(x)  and  let 


a  =  (2u0  +  m,  2ui, . . . ,  2uN-i ) 

be  the  vector  of  coefficients  of  a(x).  Let  |~-J  denote  rounding  to  the  nearest  integer. 
Let  the  ciphertext  be 

c  =  a  —  ( \slB~1\B)  =  ( m  +  2 u(r)  mod  d,  0, . . . ,  0), 

which  is  the  translation  of  a  to  the  parallelepiped  P(B)  (where  translation  means 
that  one  subtracts  lattice  vectors  until  one  lands  in  the  fundamental  parallelepiped). 
To  decrypt  a  ciphertext  c,  let 

ai  =  c  —  (|cV_1JV)  =  (ao,  ■  ■  ■ ,  Gpv-i), 

which  is  the  translation  of  c  to  the  parallelepiped  P(V),  and  compute  m  =  a0 
(mod  2).  As  shown  on  p.  145  of  [16],  decryption  works  (i.e.,  ax  =  a)  as  long  as 
the  absolute  value  of  every  entry  in  aV -1  is  less  than 

The  rows  of  the  matrix  B  are  a  “bad”,  i.e.,  skewed  basis  for  the  lattice  L,  while 
the  rows  of  V  are  a  “good”  (secret)  basis  for  L.  If  the  rows  of  V  are  sufficiently 
orthogonal,  and  if  the  plaintext  point  a  is  chosen  in  a  suitable  way,  then  decryption 
yields  the  original  plaintext  point. 

The  scheme  is  homomorphic  because  its  multiplication  and  addition  are  just  mul¬ 
tiplication  and  addition  in  the  ring  of  integers  of  the  held  K . 

The  security  of  the  above  scheme  is  based  on  the  simultaneous  difficulty  of  the 
following  problems. 

The  Small  Principal  Ideal  Problem  (SPIP)  is  the  problem,  given  a  principal 

ideal  in  either  Hermite  Normal  Form  (i.e.,  the  matrix  B)  or  two  element  representation 
(i.e.,  (d,  6  —  r)),  of  finding  a  “small”  generator  (e.g.,  v(9))  for  it.  If  the  SPIP  is 
sufficiently  hard,  that  would  thwart  a  key  recovery  attack,  wherein  an  adversary  who 
knows  the  public  key  ( B  or  ( d,r ))  tries  to  find  the  secret  key  (v(x)). 

Security  against  an  attack  where  the  adversary  tries  to  find  the  plaintext,  given  a 
ciphertext,  is  closely  related  to  the  difficulty  of  the  Closest  Vector  Problem  for 
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ideal  lattices.  This  is  the  problem  of  finding  a  closest  lattice  point  to  a  given  point 
in  the  ambient  space. 

Another  type  of  security  is  “semantic  security”.  The  requirement  for  semantic 
security  is  that  an  adversary,  who  is  presented  with  a  ciphertext  that  is  either  an 
encryption  of  0  or  an  encryption  of  1,  cannot  distinguish  which  it  is  with  probability 
greater  than  |  +  £  of  getting  the  correct  answer.  The  semantic  security  of  the  scheme 
is  related  to  a  new  problem,  that  Smart  and  Vercauteren  call  the  Polynomial  Coset 
Problem.  The  Polynomial  Coset  Problem  is  the  problem  of  distinguishing  between 
a  random  element  of  Z/dZ  and  an  element  of  the  form  /(r)  mod  d,  where  f(x )  G  Z[x] 
is  random  (and  unknown)  with  small  coefficients  and  r  is  the  common  root  of  F(x ) 
and  v{x )  mod  d.  The  paper  [36]  states  that  the  Polynomial  Coset  Problem  is  akin  to 
Gentry’s  Ideal  Coset  Problem  from  [12],  These  problems  can  be  viewed  as  versions 
of  the  Bounded  Distance  Decoding  problem  from  coding  theory. 

Gentry,  Smart- Vercauteren  and  Gentry-Halevi  “bootstrap”  their  somewhat  ho¬ 
momorphic  encryption  schemes  into  fully  homomorphic  encryption  schemes  using 
a  re-encryption  algorithm.  Making  this  cryptographically  secure  requires  an  addi¬ 
tional  security  assumption,  namely  the  difficulty  of  a  decisional  version  of  the  Sparse 
Subset-Sum  Problem,  i.e.,  it  should  be  difficult  to  distinguish  between  random 
subsets  of  Z/dZ  and  those  that  have  sparse  subsets  that  sum  to  0.  Here,  bootstrap¬ 
ping  augments  the  public  key  with  a  “hint”  about  the  secret  key,  namely,  with  a  large 
set  of  vectors  that  has  a  very  sparse  subset  that  sums  to  the  secret  key. 
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4.  Results  and  Discussion 

We  first  give  some  observations  concerning  the  Smart- Vercauteren  (SV)  and  Gentry- 
Halevi  (GV)  schemes  that  were  reviewed  in  Section  3.3  above.  Our  main  result  is  a 
proposed  variant  of  these  schemes  (see  Section  4.6).  We  justify  introducing  this  vari¬ 
ant,  and  discuss  some  pros  and  cons  in  comparison  to  earlier  schemes.  This  section 
represents  joint  work  of  Hendrik  Lenstra  and  Alice  Silverberg. 

4.1.  Some  comments  on  the  SV  and  GH  schemes.  We  retain  the  notation  of 
Section  3.3.  The  secret  basis  for  the  lattice  L  in  the  Smart- Vercauteren  and  Gentry- 
Halevi  schemes  consists  of  the  rows  of  V,  where  the  first  row  is  chosen  “at  random”. 
The  more  random,  the  higher  the  security,  but  the  less  likely  that  one  can  actually 
decrypt. 

Our  goal  is  to  replace  this  secret  basis  with  a  nearly  orthogonal  set  of  vectors  (and 
replace  the  lattice  L  with  the  lattice  generated  by  these  vectors).  If  the  secret  basis 
is  nearly  orthogonal,  then  decryption  is  feasible  and  amounts  to  finding  a  shortest 
vector  in  the  coset  c  +  L,  and  security  is  maintained  as  long  as  there  is  still  sufficient 
randomness. 

With  the  Smart- Vercauteren  and  Gentry-Halevi  schemes,  decryption  fails  if  the 
vector  a  does  not  lie  in  the  parallelepiped  P{V).  In  this  section  we  discuss  some 
aspects  of  decryption,  which  motivated  us  to  find  a  refinement  of  the  SV  and  GH 
schemes  in  which  decryption  is  more  likely  to  succeed. 

If  9(x)  =  Elo 9iXl  G  let 

||#(t)I|2  =  \]Y!i= o 9i  and  Halloo  =  maxi=0,...,t  \gi\. 

In  [36,  p.  427]  it  is  shown  that  if  the  resultant  d  of  (2)  is  roughly  of  size  ||i;(x)||£r  • 

1 1 ^(^n)  1 1 2^,  where  deg(v)  =  m  =  N  —  1,  then  a  quantity  they  call  the  decryption 
radius  is  sufficiently  large  to  allow  decryption.  In  Lemma  1  below  we  prove  that  the 
resultant  d  is  at  most  ||u(a;)||^,  and  therefore  is  not  of  size  about  ||u(a;)||()r '  Il^r(a;)ll2l- 
In  Lemma  2  we  refine  the  bound  in  Lemma  1  of  [36],  in  order  to  enable  the  decryption 
radius  to  be  potentially  sufficiently  large  to  allow  decryption. 

(Note  that  the  notation  v,r,9,d ,  and  a(x),  which  came  from  [16],  is  denoted 
G,a,(,P,  and  C(x),  respectively,  in  [36].) 

Lemma  1.  d  <  ||v(:r)||^. 

Proof.  With  9  a  primitive  2A-th  root  of  unity  as  above,  and  taking  the  products  and 
sum  over  all  the  roots  Q  of  F(x ),  we  have 

d  =  NonnK/Q(v(0))  =  n  v(C)  =  n  (v(C)v(C))1/2 

F(C)=0  F(C)=0 

=  n  (Mom,/K)N/2  <  £  (hwhV2  (4) 

F(f)=0  F(C)=0  '  ' 
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where  the  inequality  follows  from  the  arithmetic-geometric  mean  inequality. 
Since 

'  N  if  k  =  0, 


E  c*  =  T^/Qf"1')  =  { 
^(0=0  l 


we  have 


JV-l 


0  if  0  <  |/c|  <  N, 


^2  v(c)v(c )  =  (^2vt^)(^2viOl)  =  u'v3 

F(()= 0  i=0  i  0<i,j<N 

The  desired  result  follows  by  combining  this  with  (4). 


N—l 

ViV,idt~j  =  N  ^2  vi  —  iV 1 1 z; ( a; ) 

i=  0 


□ 


The  next  result  is  a  refinement  of  Lemma  1  of  [36].  We  recall  that  Lemma  1  of 
[36]  stated  that  there  exists  a  Z(x)  E  Z[x]  such  that  Z(x)v(x )  =  d  mod  F(x)  and 
||Z(x)||oo  <  | \v (tr) 1 1 1 1 [T'(x) 1 1 1 .  (The  Z(x)  obtained  in  Lemma  2  below  is  the 
same  as  the  Z(x)  in  Lemma  1  of  [36].) 


Lemma  2.  There  exists  a  polynomial  Z(x)  E  Z[x]  such  that  Z(x)v(x)  =  d  mod  F(x) 
and  H^Hoo  <  ||n(a;)||^_1. 


Proof.  As  in  [36],  we  apply  Cramer’s  Rule  and  Hadamard’s  inequality,  ffowever, 
instead  of  applying  the  Hadamard  inequality  directly,  we  first  do  elementary  opera¬ 
tions  to  the  Sylvester  matrix  that  do  not  change  its  determinant  d,  and  then  apply 
Hadamard’s  inequality. 

As  in  [36],  there  are  polynomials 

N— 1  m—1 

S(x)  =  '22six\  T(x)  =  tjX1  E  Q[x] 

2—0  2—0 


such  that 

S(x)v(x)  +  T(x)F(x)  =  1. 
Let  Z(x)  =  dS(x)  =  ZiX1  E  Z[x].  Then 


Z(x)v(x)  =  d  mod  F(x). 


As  in  [36]  we  have  the  matrix  equation 


Vm 

0 

0 

1 

0 

•  ••  o\ 

( SN-l\ 

/°\ 

Vm—  1 

Vm 

0 

0 

1 

...  0 

V\ 

V2 

0 

0 

0 

...  1 

Vo 

V\ 

Vm 

0 

0 

...  0 

s0 

+ 

= 

0 

Vo 

Vm—  1 

1 

0 

...  0 

Lm—  1 

0 

0 

Vm— 2 

0 

1 

...  0 

0 

0 

0 

Vo 

0 

0 

...  J 

V  t0  ) 

W 
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where  the  first  matrix  is  the  Sylvester  matrix  Syl(u,  F)T ,  an  (m  +  N )  x  (m  +  IV) 
matrix  whose  determinant  is  the  resultant  of  v  and  F,  which  is  d. 

Suppose  1  <  j  <  N.  As  the  hrst  step  in  using  Cramer’s  Rule  to  compute  the  j'-th 
entry  SN-j  of  the  vector  of  unknowns  (sn- i,  . . . ,  to),  substitute  the  right  hand  vector 
of  constants  (0, . . . ,  0, 1)T  for  the  j-th  column  of  the  matrix  Syl(u,  F)T . 

Then  for  i  =  1, —  1,  replace  the  i-th  row  of  that  matrix  with  that  row 
minus  the  (N  +  i)-th  row,  so  that  the  upper  right  (N  —  1)  x  (N  —  1)  corner  is  a  zero 
matrix.  Then  the  determinant  of  the  resulting  matrix  is  the  determinant  of  its  upper 
left  (N  —  1)  x  (N  —  1)  submatrix,  which  by  Cramer’s  Rule  is  sjv-jdet(Syl(u,  F))  = 
ds n_3  =  z N—j ■  Applying  Hadamard’s  inequality  to  the  columns,  and  using  that  the 
entries  of  the  columns  are  the  coefficients  of  v(x),  up  to  sign  and  permutation,  we 
have  that  this  determinant  has  absolute  value  at  most  ||n(x)||^_1,  giving  the  desired 
result.  □ 


We  now  examine  the  effect  on  decryption. 
As  on  p.  426  of  [36],  define 

|| g[x)h(x)  modF(x)||c 


<Soo  =  sup  { 


:  deg(g), deg(/r)  <  A^}. 


||^(x)||oo||/i(x)||oo 

Lemma  2  of  [36]  shows  that  for  F(x)  =  xN  +  1  one  has  8^  <  N. 

Define  the  decryption  radius 

d 

lD“  -  2<5co||Z(z)||co 

(following  Lemma  1  of  [28]).  As  in  Lemma  1  of  [28]  and  p.  425  of  [36],  decryption 
can  be  done  if  ||a(x)||0O  <  roec-  Using  the  refined  bound  ||Z(a;)||00  <  ||u(x)||2 
Lemma  2  above  and  using  that  <  N,  we  obtain 

d 


JV"1  of 


I’Dec  > 


I  JV— 1  ' 


(5) 


2N\\v(x)\\2 

If  one  knew  that  d  were  approximately  |  1 1^,  rather  than  just  being  bounded 

above  by  it  as  in  Lemma  1,  then  using  (5)  would  give 


I’Dec  > 


d 


H2OH2  2^  1 


2iV||u(a;)||^-1  2 TV  ' 

However,  if  the  resultant  d  is  unexpectedly  small  and  the  coefficients  of  Z(x)  are 
sufficiently  large,  then  rDec  ’will  be  so  small  that  decryption  will  not  be  possible.  This 
is  potentially  a  problem  for  the  encryption  scheme,  motivating  us  to  restrict  the  choice 
of  the  polynomial  v(x)  in  order  to  improve  the  ability  to  decrypt. 


4.2.  Comments  on  a  Gentry  and  Vercauteren  variant  of  the  SV  and  GH 
schemes.  To  address  the  problem  pointed  out  in  the  previous  section,  rather  than 
taking  u0, . . .  ,vjv-  1  to  be  random  t- bit  integers  as  in  [36,  16],  Vercauteren  (in  email 
discussion  with  Lenstra)  and  Gentry  (in  conversation  and  email  with  Silverberg) 
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suggested  taking  vq  to  be  approximately  2*  and  taking  the  remaining  vi's  of  negligible 
size  compared  to  2*,  so  that 

(v0 , . . . ,  vjv-i)  ~  (2*,0, 

The  resulting  basis  is  “mildly  orthogonal”  (in  Gentry’s  words).  In  particular,  it  is 
orthogonal  enough  to  allow  decryption. 

We  next  look  briefly  at  the  security  of  this  variant.  Let 

R  =  Z[e]  =  Z[x]/(F(x)), 

the  ring  of  integers  of  the  field  K .  Let 

Ar  =  K  <g>Q  R  =  R  <g>z  R  =  CN/2  **  Rn, 

a  Euclidean  space,  i.e.,  a  finite  dimensional  vector  space  over  R  with  a  positive  definite 
symmetric  bilinear  form. 

Let  v  =  v{6)  ~  Vq.  Then  L  =  Rv  =  ZiV  is  a  lattice  in  Ar,  and 
d  =  det(L)  =  #(R/Rv)  =  NormK/Q(v)  «  |v0|N. 

Thus,  d 1/JV  is  approximately  |uo|.  Let 

a  =  1  0  dx^N  e  Ar. 

Then  [  |gk  —  u||  is  small.  Recovering  v  amounts  to  solving  the  inhomogeneous  approx¬ 
imation  problem,  with  input  a,  to  find  the  closest  lattice  vector  v  to  a.  However,  if 
Vi, . . . ,  vn-i  are  too  small,  then  the  closest  lattice  vector  to  a  is  much  closer  than  the 
next  closest  lattice  vector,  so  the  LLL  algorithm  finds  it. 

4.3.  Gauss’s  general  measure.  The  scheme  in  [36]  is  analyzed  there  using  the  i 2 - 
norm  ||^(x)||2.  We  instead  use  a  norm  that  has  some  additional  nice  mathematical 
properties.  When  F(x)  =  x 2”  +  1  the  two  norms  happen  to  coincide. 

For  now,  take  K  to  be  any  number  field,  let  N  =  [K  :  Q],  and  let  A'r  denote  the 
R- algebra  A'®q  R.  Define 

Q  :  Ar  — >•  R~°  by  q(/3)  =  a(/3)a(/3)  =  ^  ^  |u(/3)|2 

a:KR^C  ct:Kr^C 

where  the  bar  denotes  complex  conjugation  and  the  sum  runs  over  all  R- algebra 
homomorphisms  from  Ar  into  C. 

The  map  q  is  a  positive  definite  quadratic  form  on  the  R-vector  space  Ar,  and  q  is 
canonical,  independent  of  a  choice  of  basis.  The  map  q  is  (a  renormalization  of)  the 
“general  measure”  of  Gauss,  and  is  sometimes  called  the  T2-norm.  See  [26]  for  some 
of  its  properties,  especially  in  the  case  where  K  is  a  cyclotomic  field. 

The  inner  product  on  Ar  associated  to  the  quadratic  form  q  is 

,0  oi\  _  q(P  +  P')  -  ^P)  ~  q(P’)) 
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The  length  of  (3  is 


(6) 


The  map  q  satisfies  a  Cauchy-Schwarz  inequality: 

\(P,P')\  <  vftVf).  (7) 

When  K  is  a  CM  or  totally  real  number  field,  then  for  all  (3  G  K  we  have 

q(P)  =  jfTrK/ '<*(00)  g  Q- 

From  now  on,  suppose  that  N  =  2n,  F(x)  =  xN  +  1,  9  is  a  root  of  F(x),  and 
K  =  Q [x]/(F(x))  =  Q(0).  Then  a((3)  =  a(/3)  for  all  [3  G  K  (since  K  is  a  CM-field), 
and  it  follows  that  for  all  (3,  (3 '  G  K  we  have 

(/?,/?'}  =  Mr, VQ(pW)  =  f  E  (8) 

<t:K^C 

This  inner  product  is  Gal  (A /Q)-equi variant.  Further,  if  0  =  Y^=ol  r^1  e  and 
0(x)  =  rixl  *=  R[:r]/(A(2;)),  then  q((3 )  =  ||/?(x)|||,  as  shown  in  the  following 

lemma.  This  is  one  reason  that  the  choice  F[x)  =  x2n  +  1  is  a  good  one  (note  that  q 
and  ||  •  1 1|  are  not  the  same  in  general). 

Lemma  3.  With  K  =  Q (9)  as  above,  let  S0 0  =  {infinite  primes  of  K},  so  that 

R[x]/(A(x))  =  Ar  =  Cs°°. 

Identify  f3  G  K r  with  (3(x)  =  rix>‘  e  R[:r]/(A(a;))  and  G  CSao . 

Then 

i  _  o  _  _ 

q(0)  =  N  \a(0)\2  =  =  = 

a:  i(zSoo  i= 0 

Proof.  The  second  equality  holds  since  each  i  G  corresponds  to  two  embeddings  a. 
The  third  equality  follows  from  the  fact  that  the  orthonormal  basis  {1,9, ,  9N~1} 
for  Ar  with  respect  to  the  inner  product  corresponding  to  q  is  identified  with  the 
basis  {1,  a;, . . .  for  R[a;]/(A(a;)),  which  is  an  orthonormal  basis  with  respect  to 

the  inner  product  rixli  six*)  =  risit  and  so  these  inner  products 

must  coincide.  □ 

4.4.  A  first  step.  In  this  section  we  give  a  first  approximation  to  our  variant  of  the 
SV  and  GH  schemes,  which  we  will  revise  in  Section  4.6.  Let 

A  =  9  +  9-1 

and  let 

K+  =  Q(A)  C  K  =  Q(0)  =  Q,[x\/(x2n  +  1). 

Then  K+  is  the  totally  real  subfield  of  the  CM-field  K.  Let 

FL+  =  Z[A], 
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(9) 


the  ring  of  integers  of  K+ .  Then  R  —  Z[9]  =  R+  +  6R+  since  9X  =  92  +  1. 

Choose  po  and  pi  in  R+  =  Z  [A] ,  “at  random”  in  some  suitable  sense.  Let 

p  =  po  +  9p1eR,  7  '  =  p/peK. 

Then 

/—  P  P  i 
P  P 

Using  the  inner  product  given  in  (8),  and  the  fact  that  yy  =  1.  it  is  easy  to  see 
that 

ae\ie’) = 

Thus,  the  set  {yOl}i=Q~  is  a  set  of  vectors  in  K  that  is  orthonormal  with  respect  to 
the  inner  product  (  ,  ). 

However,  7'  is  not  necessarily  in  R ,  and  the  cryptosystems  require  elements  of  R. 
So  let 

7  =  My  + 1  g  r 

where  Mg  Z  is  chosen  so  that  M 7'  G  R  (for  example,  one  could  take  M  =  pp),  so 
that  d  =  NorniK/Q(7)  is  odd,  and  so  that  R/'jR  =  Z/dZ.  Let 

L  =  7  R, 

the  ideal  lattice  in  R  generated  by  7. 

As  in  Section  3.3,  the  private  key  is  7  and  the  public  key  consists  of  d  and  r.  Since 
is  a  nearly  orthogonal  basis  for  the  lattice  L,  decryption  is  likely  to  be 

feasible. 


4.5.  Discussion  of  security  of  the  first  step.  To  what  extent  does  this  additional 
mathematical  structure  weaken  the  security  of  the  scheme? 

Before,  the  secret  key  v(x)  had  N  degrees  of  freedom,  corresponding  to  the  N 
coefficients  of  v(x).  Now  there  are  N/2  degrees  of  freedom.  This  can  be  seen  as 
follows.  Choose  p\  suitably  random  in  the  degree  N j2  number  field  Q(A)  and  let 
p  =  1  +  9p\.  Multiplying  by  an  element  of  Q(A)X  to  get  something  of  the  form 
Po  +  9 pi  does  not  change  7'  =  p/p. 

Further,  77  is  a  totally  positive  element  of  R+,  and 


d  =  NormK/Q(7)  =  <r(77)  G  R>0 

cr:K+=->R 

where  cr  runs  through  the  N/2  embeddings  of  the  field  K+  in  R. 
Letting 

5  =  7  —  1  =  M^'  G  R, 

then 

55  =  (7  — 1)(7  — 1)  =  M2  Gi?+ 
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(since  y'y'  =  1)  and 


NormK/Q(<5)  =  MN, 

an  N-th  power  that  is  close  to  the  public  information  d  =  NorniK/Q(7).  Thus  d  is 
approximately  MN ,  so  M  is  approximately  \fd.  Rounding  \fd  to  the  nearest  integer 
might  yield  M,  and  therefore  also  88.  So  the  public  information  leaks  information 
about  88.  Is  this  dangerous?  That’s  not  clear,  so  next  we  will  try  to  do  better. 

4.6.  A  proposal  for  a  somewhat  homomorphic  encryption  scheme.  To  play 

it  safer,  we  will  take  7  =  My'  +  e,  where  e  G  R  =  Z [x]/(F(x))  is  chosen  so  that 
the  polynomial  has  small  coefficients  picked  at  random  from  too  large  a  set  to  be 
guessable.  The  idea  will  be  to  take  e  small  enough  so  that  (yd'lEj1  *s  still  an  almost 
orthogonal  basis  for  the  lattice  L  (i.e.,  so  that  My'  is  still  the  dominant  term).  The 
randomness  in  the  choice  of  e  adds  to  the  security,  in  comparison  to  just  taking  e  =  1. 
The  variant  of  the  SV  and  GH  schemes  mentioned  in  Section  4.2  can  be  viewed  as  a 
special  case  of  the  proposed  scheme,  but  now  we  choose  v(x)  from  a  larger  set,  giving 
potentially  greater  security.  In  Section  4.7  we  will  justify  our  choice  of  the  set  from 
which  e  is  taken,  and  will  justify  our  lower  bound  on  the  size  of  the  integer  M.  We 
next  give  the  details. 

With  7'  as  in  (9),  take  Mg  Z  so  that  My'  G  R  and  M  >  4  N.  Choose  e  G  R  at 
random  subject  to  the  restriction  that  \J q{e)  <  (y/ 1  +  M  _  \)M.  Let 

7  =  My'  +  e 

and  let  d  =  NormK/Q(y). 

Write  7  =  ESo’  with  vi  e  Z,  let  v(x)  =  Y^i=o  vix%  e  Z[x],  and  let  V  be  the 
matrix  associated  to  v(x)  as  in  (1)  above.  Check  that  d  is  odd  and  that  R/'yR  =  Z/rfZ. 
To  check  the  latter,  as  in  §3  of  [16],  compute  w{x)  =  1  wixl  G  Z[x]  such  that 

w(x)v(x)  =  d  (mod  F(x))  and  let  r  =  vjq/vj\  (mod  d)  (if  gcd(wi,d)  =  1),  where  as 
usual  r  G  Z  is  taken  in  the  interval  [—d/2,  d/2).  Check  that  rN  =  —  1  (mod  d).  If  so, 
then  (as  in  §3  of  [16])  the  Hermite  Normal  Form  B  of  the  matrix  V  is  of  the  form  in 
equation  (3).  If  any  step  above  fails,  start  again  with  a  new  e  (and  possibly  M). 

The  private  key  is  7  E  R. 

The  public  key  consists  of  d  and  r. 

To  encrypt  a  message  bit  b  G  {0, 1},  choose  random  integers  a0, . . .  ,ajy_i  in  the 
range  [2^Ak_,  ^==]  and  adjust  them  so  that 

//{ i  :  a*  is  odd}  =  b  (mod  2). 

Let  a  =  (do,  •  •  • ,  djv-i)  G  ZA  . 

As  before,  let  the  ciphertext  c  be  the  translation  of  a  to  the  parallelepiped  P(B ), 
i.e., 

c  =  a  —  (l&B^1  \B). 
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As  before,  to  decrypt  a  ciphertext  c,  let  ai  be  the  translation  of  the  ciphertext  c 
to  the  parallelepiped  P(V),  i.e., 


a!  =  c  —  (\cV~l\V)  =  (a'Q, . . . ,  a,N_1). 


Let 


b  =  :  a-  is  odd}  (mod  2). 

By  Corollary  10  below  we  have  a  G  P(P),  so  a  =  ai  and  decryption  is  successful. 


4.7.  Justification  of  parameter  choices.  In  this  section  we  justify  the  conclusion 
that  a  G  P(V),  and  we  justify  our  choices  M  >  AN  +  1,  y/q{e)  <  —  1  )M, 

and  N  ^  27TO- 

Definition  4.  If  A  =  (ay)  is  an  N  x  N  matrix  with  real  entries,  define 

||A[|  =  max  \a,ij\. 

Matrix  multiplication  shows  that  whenever  E  and  F  are  N  x  N  matrices  with  real 
entries,  then 

||PF||  <  N\\E\\ ■  ||F||.  (10) 

Write  In  for  the  N  x  N  identity  matrix. 


Lemma  5.  Suppose  A  is  an  N  x  N  matrix  with  real  entries,  5  G  R,  0  <  <5  <  1,  and 


\\a~In\\  < 


Then  A  is  invertible,  and 


5 


N(l-5)' 


Proof.  Let  D  =  IN  —  A.  Then  ||D||  <  A.  By  (10)  we  have  ||D*||  <  Since  A  — >  0 
as  i  — >  oo,  we  have 

and 


A~  —  IN  +  D  +  D  +  D6  +  ■  ■  ■ 


M  1  -IN\\ <  - 


6 


i>  1 


N  N{l-sy 


□ 


Proposition  6.  Suppose  (. L ,  q)  is  a  lattice  of  rank  N,  and  (  ,  )  is  the  inner  product 
associated  to  q,  and  {&!,...  Av}  is  a  Z-basis  for  L.  Let  C  =  (( bi,bj))itj  denote  the 
associated  (N  x  N )  Gram  matrix.  Suppose  that  m  G  R+,  that  e  G  R-°,  that 

|| C  —  mIN  ||  <  e, 
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and  that  e  <  m/N .  Suppose  a  E  L  ®z  R  =  RL  arid  write  a  =  JN=1  w%lh  ai  ^  R 
Then  for  i  —  1, . . . ,  N  we  have 

l9  q(a)  ,  e  x 

\ai\  < - (l  H - T7~)- 

m  m  —  Ne 

Proof.  Let  {b\}f=1  denote  the  dual  basis  of  L®ZR  to  the  basis  i.e.,  (b\,  bf)  = 

where  <5.y  is  Kronecker’s  delta.  Let  (A  =  ((6j,  b^))ij,  an  NxN  matrix  with  real  entries. 
It  is  an  exercise  to  show  that  C'  =  C-1. 

Since  || C  —  mljy\\  <  e,  it  follows  that  ||m_1C  —  7jv||  <  ejm.  Applying  Lemma  5 
with  A  =  m_1C  and  5  =  Ne/m  gives 


||  m(A  —  /  v  1 1  < 


m  —  Ne 


Thus 


II  <?--IN\\  < 


m(m  —  Ne) 


yielding 

lie'll  <  7(i  +  —!—).  (ii) 

m  v  m  —  Ne ' 

Further,  (b\,a)  =  E  'Ll  «!<(>!.  %)  =  cy.  Now  by  the  Cauchy-Schwarz  inequality  (7) 
and  by  (6), 

N  =  \(bla)\  <  v/#l)v/^)  =  (blbl)- 

Using  (11)  we  now  have 


<q(a)(blM)<q(a)\\C'\\<q-^(l  + 


m  v  m  —  Ne' 


as  desired. 


Lemma  7.  As  usual,  let  6  be  a  root  of  x2'1  +  1,  let  K  =  Q (9),  and  let  R  =  Z [6\. 
Suppose  that  M  e  Z>0,  y'  e  K,  and  e  E  R,  and  suppose  that  y'y'  =  1  and  My'  e  R. 
Let  y  =  My'  +  e  G  R.  Define  q  and  (  ,  )  as  in  Section  f.3  and  let  Sij  denote 
Kronecker’s  delta.  For  i  —  1, . . . ,  N,  letbi  =  y#l_1.  Then  for  all  i  and  j  in  {1, . . . ,  N} 
we  have 

\(bi,bj)  -  M25ij\  <  2 Myfifcj  +  q{e). 

Proof.  Note  that  (9\9j)  =  5ij  and  (y'0*,  yA)  =  %  as  before,  so  q(9l)  =  (9\9l)  =  1 
and  (/(y'61*)  =  (y'0*,  y'0*)  =  1.  We  then  have 

|(&i,  6j)  -  M2Sij |  =  |(My'0i_1  +  e0<_1,  My'0^1  +  e^"1)  -  M%| 

=  |(My'0<-1,e0J’-1)  +  (er^My'^-1)  +  (e9l-\e93~1)\ 

<  M\('y'9i-1,e9j~1)\  + M\(e9i-1,'y,9j~1)\  +  \(e9i~1,e9j^1)\ 

<  2 My/qfe)  +  g(e) 
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where  the  last  inequality  follows  from  the  Cauchy-Schwarz  inequality  (7)  and  the 
equalities  q( j'd1)  =  1  and  q(9l)  =  1.  □ 


Theorem  8.  Suppose  9,  M ,  7/  e,  7,  and  q  are  as  in  Lemma  7.  Suppose  a  = 
an@l  m^1  ai  £  R-  Suppose  0  <  c  <  1  and 


Then 


\ot. 


<  (\J1  +  ~  l)M- 


12  <  g(Q)/1  +  2 My/q{e)  +  q(e) 


(12) 


M 2  v  M2(  1  -  c)  ' 

Proof.  Let  e  =  2 M y/q(e)  +  q(e).  Then  (12)  holds  if  and  only  if  e  <  cM2/N,  as  follows: 

e  -  cM2/N  =  2 My/qfe)  +  q(e)  -  cM2/N  =  (y/qfe)  +  M)2  -  (1  +  c/N)M2. 

So  e  <  cM2/N  if  and  only  if  (\/q(e)  +  M )2  <  (1  +  c/N)M2.  Now  take  square  roots. 
By  Lemma  7  we  can  apply  Proposition  6  with  m  =  M2,  giving 

e  x  q(a)  e 


,  ,2  ^  ?(a)n  , 

\oii\  <  + 


<^d  + 


M2  v  M2  —  Ne  M2  v  M2(l  —  c) 
as  desired,  where  the  last  inequality  uses  that  e  <  cM2/N. 


□ 


Remark  9.  With  hypotheses  as  in  Theorem  8,  if  one  takes  a  so  that 

.  .  M 2 

<?(«)  < 


4[1  + 


iV(l— c)  J 


and  uses  that  2 My/q(e)  +  g(e)  =  e  <  cM2 /N ,  then  Theorem  8  gives  that  |cq|  <1/2 
for  all  7 


Corollary  10.  Suppose  9,  M ,  7/  e,  7,  and  q  are  as  in  Lemma  7,  and  suppose  that 


Suppose  a  =  J^iLo1  at9l 
suppose 


Then  \a. f\  <  1/2. 


\/g(e)  <  (\/X  +  2]v  “ 

1  0^7$*  with  ai,oti  G  R.  Let  A  =  max*  |aj|  G  R-°  and 


A  < 


M 

2V0VT1' 


(13) 


Proof.  Take  c  =  1/2  in  Theorem  8,  and  use  Theorem  8  and  that  2 M q(e)  +  q(e)  = 
e  <  cM2/N  =  AT2/(2N),  to  obtain 


1^1  <  M2  (  +M2^ 


<^(1  +  -). 
M2  1  1W 


By  Lemma  3  and  the  definition  of  A  we  have  g(a)  <  N A2.  Now  apply  (13). 


□ 
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Remark  11.  Since  1  +  ^7  is  approximately  (1  +  py)2,  we  have  that 

( 

So  the  upper  bound  on  \J q(e)  in  the  above  results  forces  M  3>  N.  Taking  M  > 
2N+^/2N(2N  +  1)  (or  more  simply  M  >  4JV  +  1)  ensures  that  (-y/l  +  M —  1  )M  >  1. 

4.8.  Discussion  of  security.  Recall  that  7  =  My'  +  e  and  y'y'  =  1.  Let  L+  = 
NorniK/K+(L),  an  ideal  in  R+ .  Then  L+  is  a  lattice  in  the  Euclidean  space 

E+  =  R+  0Z  R  ^  R^/2, 

and 

77  G  (77) R+  =  L+  =  ZN/2. 

Since  K  is  a  CM-field,  we  have  rr( y'y')  =  1  for  all  a  :  K  C,  and 

d  =  NormK/Q(7)  =  Yl  =  II  rM- 

<r:K<— >C  t:K+^R 

For  each  real  embedding  r  :  K+  R.  the  size  of  r(y 7)  is  close  to  d?^N .  Let 

a+  =  1  ®  d2/N  G  E+. 

Then  a+  is  close  to  77.  With  a  sufficiently  good  inhomogeneous  approximation 
algorithm  one  could  recover  77  from  a+.  Analyzing  known  attacks  comes  down  to  the 
question  of  how  good  the  LLL  algorithm  is  at  solving  inhomogeneous  approximation 
problems.  If  were  too  small,  LLL  would  recover  77,  though  it  is  not  clear  how 
much  this  would  help  to  recover  7.  Even  if  one  learns  77  and  66  (with  6  =  7  —  1  as 
in  Section  4.5),  if  e  is  unknown  one  still  does  not  know  6  or  7. 

Gentry  points  out  in  his  PhD  thesis  [13,  p.  68]  that  the  NTRU  signature  attack  in 
the  Gentry-Szydlo  paper  [20]  provides  an  attack  on  certain  ideal  lattices  in  certain 
rings  of  the  form  Z[x]/(xN  —  1)  that  have  an  orthonormal  basis.  More  work  is  needed 
to  determine  whether  such  an  attack  can  be  used  to  weaken  the  security  of  the  scheme 
presented  here. 
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5.  Conclusions 


The  mathematical  foundations  for  certain  Somewhat  Homomorphic  Encryption 
schemes  are  studied  and  developed,  and  strengths  and  weaknesses  are  discovered.  In 
addition,  Lenstra  and  Silverberg  propose  lattices  with  nearly  orthogonal  bases,  for 
use  in  Fully  Homomorphic  Encryption.  These  bases,  when  used  as  the  secret  key 
in  a  Fully  Homomorphic  Encryption  scheme,  are  designed  to  allow  efficient  decryp¬ 
tion.  Justification  is  given  that  this  choice  provides  a  better  balance  of  security  and 
efficiency  than  related  previously  proposed  lattice-based  Fully  Homomorphic  Encryp¬ 
tion  schemes.  Further  work  is  needed  to  quantify  the  security  of  Fully  Homomorphic 
Encryption  schemes  that  are  based  on  lattices  that  have  nearly  orthogonal  bases. 
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6.  Recommendations 


In  order  to  give  convincing  evidence  that  methods  for  computing  on  encrypted  data 
are  cryptographically  secure,  it  is  important  to  discover,  develop,  and  understand  the 
mathematical  foundations  on  which  these  methods  rely.  This  will  enable  the  con¬ 
struction  of  more  efficient  and  secure  systems,  and  will  give  reliable  information  and 
confidence  as  to  which  systems  are  secure.  Recent  proposals  for  secure  computing  on 
encrypted  data  make  use  of  lattices  that  have  some  symmetry.  Therefore,  the  primary 
recommendation  is  that  the  mathematical  foundations  of  lattices  with  symmetry  be 
discovered  and  developed.  An  additional  recommendation  is  that  the  security  of 
homomorphic  encryption  schemes  based  on  ideal  lattices  be  quantified,  in  order  to 
give  confidence  in  the  security  of  such  schemes  and  in  order  to  be  able  to  effectively 
compare  different  schemes. 
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List  of  Symbols,  Abbreviations,  and  Acronyms 


C  the  complex  numbers 

FHE  Fully  Homomorphic  Encryption 

F q  the  finite  field  with  q  elements 

GH  Gentry-Halevi  Somewhat  Homomorphic  Encryption  scheme 

LLL  Lenstra-Lenstra-Lovasz  lattice  basis  reduction  algorithm 

Q  the  rational  numbers 

R  the  real  numbers 

SHE  Somewhat  Homomorphic  Encryption 

SPIP  Small  Principal  Ideal  Problem 

SV  Smart- Vercauteren  Somewhat  Homomorphic  Encryption  scheme 

Z  the  integers 
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